Support a "deny list"

[PragTob]

Code of Conduct

• I agree to follow this project's Code of Conduct

AI Policy

• I agree to follow this project's AI Policy, or I agree that AI was not used while creating this issue.

Is your feature request related to a problem? Please describe.

I want to use usage_rules, but some of the usage_rules are completely unnecessary context. I.e. there is a dependency on LiveView for the Phoenix Dashboard but the application absolutely doesn't use it - similar for Phoenix.HTML (API only use case).

I'd like a solution where I could deny list/not allow certain dependencies.

Describe the solution you'd like

Some form of API to ignore dependencies (couldn't find it). Whether that be an exclude: [...] in the config or one entry per dependency (or sub rule even) followed by ignore: true or something - both work for me :)

Describe alternatives you've considered

I'll solve the problem by using the explicit allow list approach. For security purposes I usually prefer allow lists, however here I see the danger that if an important dependency added usage rules it wouldn't be as easy to discover on a regeneration of usage rules as it'll likely not be in my allow list.

Additional context

We're on 1.2.5.

Thank you for all the work you do! It's greatly appreciated! 💚

[zachdaniel]

I think you'd want an exclude_sub_rules option for this, as the rules themselves are already opt-in exclusively by design. But sub-rules, we could support an exclude_sub_rules: ... option, i.e

you can do this today:

 usage_rules: [{:phoenix, sub_rules: [:foo, :bar]}],

so we'd add exclude_sub_rules as an option in that context. I'm not sure that adding an opt-out for specific top level dependencies makes sense though because its all opt-in at that layer already?

[zachdaniel]

I won't have time to dive into this, but PRs welcome!

[PragTob]

@zachdaniel ah! Yeah sorry, so I'm coming from the old version (and upgrade to 1.2.5). And the first suggested migration path is :all which is not opt in.

I don't need the exclude for sub rules, I'm fine listing out explicitly the ones I want.

What I'd like is a mechanism to discover "new" rules, because when I'm allow listing them I won't see if a package adds new rules easily.

Maybe that could be a new mix task then or sync would simply list out all the rules you're not including so you can double check against it? Something like that?

[zachdaniel]

Ah yeah okay I see what you mean. So yeah you could do something like {:except, ...}. Open to that as well 😄. Alternatively something like mix usage_rules.list could work or mix usage_rules.status that can show some information.

[PragTob]

Both of these seem individually useful, thanks!